[c-nsp] when is an acl entry created? router ios

false jctx09 at yahoo.com
Thu Mar 21 13:57:43 EDT 2013 

Hello,

 
I need to know what exactly constitutes a hit on an access-list. I was doing some troubleshooting and I did not get the expected results. I thought the first packet to match would be equal but it looks like it may require a 3-way handshake. 
 
I have an extended access-list in place on a 2811 router for troubleshooting/logging. I was troubleshooting inbound traffic so I stripped away the cbac and existing ACLs from the interface. I then began doing a telnet test such as "telnet 192.168.2.80 80" from windows machine and then I would review the log to verify it got hit by the ACL. This test worked. 

I then set up a dummy NAT entry with port 27. I do not have a service running on port 27 (of course) but i wanted to see if the initial SYN packet would cause it log a hit. It never did. So does the ACL entry create require a 3-way handshake.? 

My original goal was to determine why smtp (port 25) traffic isn't hitting my mail server. I never see any hits. Thank you.
 
interface FastEthernet0/1
ip address dhcp client-id FastEthernet0/1
ip access-group 124 in
no ip redirects
no ip unreachabes
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled

 
ip nat inside source static tcp 192.168.2.41 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.2.34 1723 interface FastEthernet0/1 1723
ip nat inside source static tcp 192.168.2.34 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.2.34 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.2.34 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.2.34 27 interface FastEthernet0/1 27
ip nat inside source route-map test_pmap interface FastEthernet0/1 overload

 
ROUTER01#sh log | inc 24.201.81.44
037251: Mar 18 20:05:08.467 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 24.201.81.44(17743) -> 134.134.134.134(1723), 1 packet
037358: Mar 18 20:08:32.052 PCTime: %SEC-6-IPACCESSLOGP: list 124 permitted tcp 24.201.81.44(17850) -> 134.134.134.134(80), 1 packet

ROUTER01#
access-list 124 permit udp any gt 0 any gt 0 log
access-list 124 permit tcp any gt 0 any gt 0 log

More information about the cisco-nsp mailing list